Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    150s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stealers/Dridex.dll

  • Size

    1.2MB

  • MD5

    304109f9a5c3726818b4c3668fdb71fd

  • SHA1

    2eb804e205d15d314e7f67d503940f69f5dc2ef8

  • SHA256

    af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

  • SHA512

    cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4564
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:1108
    • C:\Users\Admin\AppData\Local\9QO3fx\bdechangepin.exe
      C:\Users\Admin\AppData\Local\9QO3fx\bdechangepin.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4700
    • C:\Windows\system32\PresentationSettings.exe
      C:\Windows\system32\PresentationSettings.exe
      1⤵
        PID:4656
      • C:\Users\Admin\AppData\Local\m36SkYbL\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\m36SkYbL\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2820
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:3444
        • C:\Users\Admin\AppData\Local\k3PCjaJ\osk.exe
          C:\Users\Admin\AppData\Local\k3PCjaJ\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3504

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9QO3fx\DUI70.dll
          Filesize

          1.5MB

          MD5

          8babe087c4067392ddb2d8dbbdc6419a

          SHA1

          83157f09078a495e3f28d187814dbd9840c14357

          SHA256

          45f8fe8e5a48189d721a156b615674fef94593a5181f20acceefc248392a17a9

          SHA512

          2406bddefac1da9418d01f3aacff1f06897e5343fe419caf0eefb5b0d974f1916a1b7c47c107eb0a7012291fdde4042bb71929ba52f5ddabef404fd4b4c2c06b

          Download Submit

        • C:\Users\Admin\AppData\Local\9QO3fx\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\k3PCjaJ\WMsgAPI.dll
          Filesize

          1.2MB

          MD5

          5b70bd8b6bf3e99df65118f2cedd06d4

          SHA1

          1c629829b5b8080398859ece0bb0640b8c16e246

          SHA256

          96cead1866c5d0ae72d1cff64daa55f5d714e2037a5007e820d73ada9a64213e

          SHA512

          c3959e5b3bb6a06675b4c759a11fd41e42ebc6d5365ef052e141b1ed0781de8ec7b3a2d370bfa9b17bdd07f7f5600acaa833075c6898bc610ad39ff8c38935c4

          Download Submit

        • C:\Users\Admin\AppData\Local\k3PCjaJ\osk.exe
          Filesize

          638KB

          MD5

          745f2df5beed97b8c751df83938cb418

          SHA1

          2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

          SHA256

          f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

          SHA512

          2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

          Download Submit

        • C:\Users\Admin\AppData\Local\m36SkYbL\PresentationSettings.exe
          Filesize

          219KB

          MD5

          790799a168c41689849310f6c15f98fa

          SHA1

          a5d213fc1c71a56de9441b2e35411d83770c01ec

          SHA256

          6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

          SHA512

          8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

          Download Submit

        • C:\Users\Admin\AppData\Local\m36SkYbL\WINMM.dll
          Filesize

          1.2MB

          MD5

          b8182d81e74cd24a0d4a9aa76aa81c20

          SHA1

          3c7e20b6a400145043a09b1784874559308a75e1

          SHA256

          3b247dc9e2db631f0fa6a301badf4e8349270e22f236df12553918f0a65d5633

          SHA512

          a719d2b492155a88c33679cab769ef11182115af6e3419fab87d03495af95d3d279814dabcc888c75ecc0f87516b3b09511c50cd1e2c281e110be7a3f704e192

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppmzgvduo.lnk
          Filesize

          1KB

          MD5

          e4155a41a9b4bd31fb52d11f0e34fe91

          SHA1

          a3adf8f0eca17ed7a48066df7851bca0ac141847

          SHA256

          ef001c094ddd42f731e3a1f13b550df8fc8197a86e1418a0715512239ee3b30e

          SHA512

          3da0fb87cd6cfc490ce794b758e3b8e12585545d45ffcd00ab9ce7869089959b161de05786de9f829a373cedbbde894c773cbdbd292b94c1f9f39f0b2467837f

          Download Submit

        • memory/2820-69-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2820-64-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2820-63-0x0000025597520000-0x0000025597527000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-4-0x0000000002570000-0x0000000002571000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-36-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-6-0x00007FFBC2DEA000-0x00007FFBC2DEB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3432-30-0x00007FFBC43D0000-0x00007FFBC43E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-29-0x0000000000A20000-0x0000000000A27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3504-81-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-80-0x0000029FD8900000-0x0000029FD8907000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3504-86-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4564-1-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4564-39-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4564-0-0x0000019058A60000-0x0000019058A67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4700-52-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4700-47-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4700-46-0x000001AE35DC0000-0x000001AE35DC7000-memory.dmp

          Filesize

          28KB

          Download